Dependent on the services, the following will form key components for cloud contracts. Given that contracts may vary significantly between various cloud service providers, not all of these may be captured or covered. This constitutes a typical illustrative list, as opposed to an exhaustive list:
- Performance measurement – how will this be performed and who is responsible for the reporting?
- Service Level Agreements (SLAs)
- Availability and associated downtime
- Expected performance and minimum levels of performance
- Incident response
- Resolution timeframes
- Maximum and minimum period for tolerable disruption
- Issue resolution
- Communication of incidents
- Investigations
- Capturing of evidence
- Forensic/eDiscovery processes
- Civil/State investigations
- Tort Law/Copyright
- Control and compliance frameworks
- ISO 27001/2
- COBIT
- PCI DSS
- HIPAA
- GLBA
- PII
- Data protection
- Safe Harbor
- S. Patriot Act
- Business Continuity and Disaster Recovery
- Priority of restoration
- Minimum levels of security and availability
- Communications during outages
- Personnel checks
- Background checks
- Employee/Third-party policies
- Data retention and disposal
- Retention periods
- Data destruction
- Secure deletion
- Regulatory requirements
- Data access requests
- Data protection/Freedom of information
- Key metrics and performance related to Quality of Service (QoS)
- Independent assessments/certification of compliance
- Right to audit (including period or frequencies permitted)
- Ability to delegate/authorize third parties to carry out audits on your behalf
- Penalties for nonperformance
- Delayed or degraded performance penalties
- Payment of penalties (supplemented by service or financial payment)
- Backup of media, and relevant assurances related to the format and structure of the data
- Restrictions and prohibiting the use of your data by the CSP without prior consent, or for stated purposes
- Authentication controls and levels of security
- Two-factor authentication
- Password and account management
- Joiner, Mover, Leaver (JML) processes
- Ability to meet and satisfy existing internal access control policies
- Restrictions and associated Non-Disclosure Agreements (NDAs) from the cloud service provider related to data and services utilized
- Any other component and requirements deemed necessary and essential
Failing to address any of the above listed components can result in hidden costs being accrued by the cloud customer in the event of additions or amendments to the contract. Isolated and ad hoc contract amendment requests typically take longer and more resources to achieve than if addressed at the outset.